On Tue, 18 Nov 2003 03:47:35 +0000, Matthew wrote:

I am interested in the mechanics of these cards, which are smart cards
for use on London's transport system. One would hope given the
reported £1billion+ that they are secure.

Apparently they work using a form of RFID
very large snip

Given the fact that these cards are smart cards, I believe
that your speculations are wrong. I could not find any
technical information about the card, but I have some
experience with smart cards, so here are my speculations.

The system is probably based on conventional secret key encryption, I
would not be surprised when it simply uses single DES. The oyster card
would contain several cryptographical keys. For example, it will
contain a key that is used to write info about the card capabilities.
You will need that key to be able to update the info on the card. The
card will also contain some authentication key that readers will use
to verify that it is a valid card. Card authentication will use some
challenge-response protocol, where the reader will generate a random
challenge and the card should return the value of this challenge
encrypted with the authentication key. Again, when you will need to
have this key in order to convince the card readers.

Even though there are some possible attacks, in general it is very
difficult to extract those keys from the smart card.

The next problem is, how do these readers work? In order to
authenticate the card they will also need the same authentication keys
that the card has. Every reader has a SAM (Security Access Module)
that securely holds these keys, in most cases the SAM is just another
type of smart card. What basically happens is that the SAM and the
postcard will engage in some end-to-end secure communication
protocol, after which the SAM will tell the reader if the card was OK
or not. The SAM will not be able to encrypt external data with the
authentication key, otherwise it could be used to imitate the
oyster cards. So even when you steal a SAM, it is of little use, you can
only use it to read and validate other oyster cards.

The keys for updating the oyster cards are not available on the SAM for
the normal card readers. It is very likely that they are only stored
in some secure central location and that all places where you can
update the card will have to communicate with this central
location. Again, this will be an end-to-end secure protocol between the
oyster card and the central location.

Another trick that is likely to be used is key diversification. The
keys for a specific card is derived from some master key in such a way
that it is unique for this card, e.g. the card authentication key for
a card is probably derived from a master authentication key by
encrypting the card id with the master authentication key. In this
way, even when one card is cracked, you still don't have the keys for
the other cards.

I expect that this system should be fairly secure, breaking smart cards
is certainly not trivial. Smart cards have been used for quite some
time, e.g. as electronic purses, in several countries and as far as I
know there have not been any major attacks against the smart cards
themselves.

BTW, one of the major reasons that many public transportation
institutions are highly interested in smart cards is that it will give
them a wealth of information about the travel patterns of their
customers, which they don't have now.

greetings,

Ernst Lippe